summaryrefslogtreecommitdiffstats
path: root/plugins/sudoers/regress/fuzz
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sudoers/regress/fuzz')
-rw-r--r--plugins/sudoers/regress/fuzz/fuzz_policy.c932
-rw-r--r--plugins/sudoers/regress/fuzz/fuzz_policy.dict56
-rw-r--r--plugins/sudoers/regress/fuzz/fuzz_stubs.c100
-rw-r--r--plugins/sudoers/regress/fuzz/fuzz_sudoers.c419
-rw-r--r--plugins/sudoers/regress/fuzz/fuzz_sudoers.dict221
-rw-r--r--plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok577
-rw-r--r--plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c151
-rw-r--r--plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict14
8 files changed, 2470 insertions, 0 deletions
diff --git a/plugins/sudoers/regress/fuzz/fuzz_policy.c b/plugins/sudoers/regress/fuzz/fuzz_policy.c
new file mode 100644
index 0000000..0b01e4e
--- /dev/null
+++ b/plugins/sudoers/regress/fuzz/fuzz_policy.c
@@ -0,0 +1,932 @@
+/*
+ * Copyright (c) 2021-2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#if defined(HAVE_STDINT_H)
+# include <stdint.h>
+#elif defined(HAVE_INTTYPES_H)
+# include <inttypes.h>
+#endif
+#include <errno.h>
+#include <fcntl.h>
+#include <netdb.h>
+#include <unistd.h>
+#include <string.h>
+#ifndef HAVE_GETADDRINFO
+# include <compat/getaddrinfo.h>
+#endif
+
+#include <sudoers.h>
+#include <sudo_iolog.h>
+#include <interfaces.h>
+#include <timestamp.h>
+#include "auth/sudo_auth.h"
+
+extern char **environ;
+extern sudo_dso_public struct policy_plugin sudoers_policy;
+
+char *audit_msg;
+
+static int pass;
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+static FILE *
+open_data(const uint8_t *data, size_t size)
+{
+#ifdef HAVE_FMEMOPEN
+ /* Operate in-memory. */
+ return fmemopen((void *)data, size, "r");
+#else
+ char tempfile[] = "/tmp/sudoers.XXXXXX";
+ size_t nwritten;
+ int fd;
+
+ /* Use (unlinked) temporary file. */
+ fd = mkstemp(tempfile);
+ if (fd == -1)
+ return NULL;
+ unlink(tempfile);
+ nwritten = write(fd, data, size);
+ if (nwritten != size) {
+ close(fd);
+ return NULL;
+ }
+ lseek(fd, 0, SEEK_SET);
+ return fdopen(fd, "r");
+#endif
+}
+
+/*
+ * Array that gets resized as needed.
+ */
+struct dynamic_array {
+ char **entries;
+ size_t len;
+ size_t size;
+};
+
+static void
+free_strvec(char **vec)
+{
+ size_t i;
+
+ for (i = 0; vec[i] != NULL; i++)
+ free(vec[i]);
+}
+
+static void
+free_dynamic_array(struct dynamic_array *arr)
+{
+ if (arr->entries != NULL) {
+ free_strvec(arr->entries);
+ free(arr->entries);
+ }
+ memset(arr, 0, sizeof(*arr));
+}
+
+static bool
+push(struct dynamic_array *arr, const char *entry)
+{
+ char *copy = NULL;
+
+ if (entry != NULL) {
+ if ((copy = strdup(entry)) == NULL)
+ return false;
+ }
+
+ if (arr->len + (entry != NULL) >= arr->size) {
+ char **tmp = reallocarray(arr->entries, arr->size + 1024, sizeof(char *));
+ if (tmp == NULL) {
+ free(copy);
+ return false;
+ }
+ arr->entries = tmp;
+ arr->size += 1024;
+ }
+ if (copy != NULL)
+ arr->entries[arr->len++] = copy;
+ arr->entries[arr->len] = NULL;
+
+ return true;
+}
+
+static int
+fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[],
+ struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
+{
+ int n;
+
+ for (n = 0; n < num_msgs; n++) {
+ const struct sudo_conv_message *msg = &msgs[n];
+
+ switch (msg->msg_type & 0xff) {
+ case SUDO_CONV_PROMPT_ECHO_ON:
+ case SUDO_CONV_PROMPT_MASK:
+ case SUDO_CONV_PROMPT_ECHO_OFF:
+ /* input not supported */
+ return -1;
+ case SUDO_CONV_ERROR_MSG:
+ case SUDO_CONV_INFO_MSG:
+ /* no output for fuzzers */
+ break;
+ default:
+ return -1;
+ }
+ }
+ return 0;
+}
+
+static int
+fuzz_printf(int msg_type, const char * restrict fmt, ...)
+{
+ return 0;
+}
+
+static int
+fuzz_hook_stub(struct sudo_hook *hook)
+{
+ return 0;
+}
+
+/*
+ * The fuzzing environment may not have DNS available, this may result
+ * in long delays that cause a timeout when fuzzing.
+ * This getaddrinfo() resolves every name as "localhost" (127.0.0.1).
+ */
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+/* Avoid compilation errors if getaddrinfo() or freeaddrinfo() are macros. */
+# undef getaddrinfo
+# undef freeaddrinfo
+
+int
+# ifdef HAVE_GETADDRINFO
+getaddrinfo(
+# else
+sudo_getaddrinfo(
+# endif
+ const char *nodename, const char *servname,
+ const struct addrinfo *hints, struct addrinfo **res)
+{
+ struct addrinfo *ai;
+ struct in_addr addr;
+ unsigned short port = 0;
+
+ /* Stub getaddrinfo(3) to avoid a DNS timeout in CIfuzz. */
+ if (servname == NULL) {
+ /* Must have either nodename or servname. */
+ if (nodename == NULL)
+ return EAI_NONAME;
+ } else {
+ struct servent *servent;
+ const char *errstr;
+
+ /* Parse servname as a port number or IPv4 TCP service name. */
+ port = sudo_strtonum(servname, 0, USHRT_MAX, &errstr);
+ if (errstr != NULL && errno == ERANGE)
+ return EAI_SERVICE;
+ if (hints != NULL && ISSET(hints->ai_flags, AI_NUMERICSERV))
+ return EAI_NONAME;
+ servent = getservbyname(servname, "tcp");
+ if (servent == NULL)
+ return EAI_NONAME;
+ port = htons(servent->s_port);
+ }
+
+ /* Hard-code IPv4 localhost for fuzzing. */
+ ai = calloc(1, sizeof(*ai) + sizeof(struct sockaddr_in));
+ if (ai == NULL)
+ return EAI_MEMORY;
+ ai->ai_canonname = strdup("localhost");
+ if (ai == NULL) {
+ free(ai);
+ return EAI_MEMORY;
+ }
+ ai->ai_family = AF_INET;
+ ai->ai_protocol = IPPROTO_TCP;
+ ai->ai_addrlen = sizeof(struct sockaddr_in);
+ ai->ai_addr = (struct sockaddr *)(ai + 1);
+ inet_pton(AF_INET, "127.0.0.1", &addr);
+ ((struct sockaddr_in *)ai->ai_addr)->sin_family = AF_INET;
+ ((struct sockaddr_in *)ai->ai_addr)->sin_addr = addr;
+ ((struct sockaddr_in *)ai->ai_addr)->sin_port = htons(port);
+ *res = ai;
+ return 0;
+}
+
+void
+# ifdef HAVE_GETADDRINFO
+freeaddrinfo(struct addrinfo *ai)
+# else
+sudo_freeaddrinfo(struct addrinfo *ai)
+# endif
+{
+ struct addrinfo *next;
+
+ while (ai != NULL) {
+ next = ai->ai_next;
+ free(ai->ai_canonname);
+ free(ai);
+ ai = next;
+ }
+}
+#endif /* FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION */
+
+enum fuzz_policy_pass {
+ PASS_NONE,
+ PASS_VERSION,
+ PASS_CHECK_LOG_LOCAL,
+ PASS_CHECK_LOG_REMOTE,
+ PASS_CHECK_NOT_FOUND,
+ PASS_CHECK_NOT_FOUND_DOT,
+ PASS_LIST,
+ PASS_LIST_OTHER,
+ PASS_LIST_CHECK,
+ PASS_VALIDATE,
+ PASS_INVALIDATE
+};
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+ struct dynamic_array plugin_args = { NULL };
+ struct dynamic_array settings = { NULL };
+ struct dynamic_array user_info = { NULL };
+ struct dynamic_array argv = { NULL };
+ struct dynamic_array env_add = { NULL };
+ char **command_info = NULL, **argv_out = NULL, **user_env_out = NULL;
+ const char *errstr = NULL;
+ const int num_passes = 10;
+ char *line = NULL;
+ size_t linesize = 0;
+ ssize_t linelen;
+ int res = 1;
+ FILE *fp;
+
+ fp = open_data(data, size);
+ if (fp == NULL)
+ return 0;
+
+ initprogname("fuzz_policy");
+ sudoers_debug_register(getprogname(), NULL);
+ if (getenv("SUDO_FUZZ_VERBOSE") == NULL)
+ sudo_warn_set_conversation(fuzz_conversation);
+
+ /* user_info and settings must be non-NULL (even if empty). */
+ push(&user_info, NULL);
+ push(&settings, NULL);
+
+ /* Iterate over each line of data. */
+ while ((linelen = getdelim(&line, &linesize, '\n', fp)) != -1) {
+ if (line[linelen - 1] == '\n')
+ line[linelen - 1] = '\0';
+
+ /* Skip comments and blank lines. */
+ if (line[0] == '#' || line[0] == '\0')
+ continue;
+
+ /* plugin args */
+ if (strncmp(line, "error_recovery=", sizeof("error_recovery=") - 1) == 0) {
+ push(&plugin_args, line);
+ continue;
+ }
+ if (strncmp(line, "sudoers_file=", sizeof("sudoers_file=") - 1) == 0) {
+ push(&plugin_args, line);
+ continue;
+ }
+ if (strncmp(line, "sudoers_mode=", sizeof("sudoers_mode=") - 1) == 0) {
+ push(&plugin_args, line);
+ continue;
+ }
+ if (strncmp(line, "sudoers_gid=", sizeof("sudoers_gid=") - 1) == 0) {
+ push(&plugin_args, line);
+ continue;
+ }
+ if (strncmp(line, "sudoers_uid=", sizeof("sudoers_uid=") - 1) == 0) {
+ push(&plugin_args, line);
+ continue;
+ }
+ if (strncmp(line, "ldap_conf=", sizeof("ldap_conf=") - 1) == 0) {
+ push(&plugin_args, line);
+ continue;
+ }
+ if (strncmp(line, "ldap_secret=", sizeof("ldap_secret=") - 1) == 0) {
+ push(&plugin_args, line);
+ continue;
+ }
+
+ /* user info */
+ if (strncmp(line, "user=", sizeof("user=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "uid=", sizeof("uid=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "gid=", sizeof("gid=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "groups=", sizeof("groups=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "cwd=", sizeof("cwd=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "tty=", sizeof("tty=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "host=", sizeof("host=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "lines=", sizeof("lines=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "cols=", sizeof("cols=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "sid=", sizeof("sid=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "umask=", sizeof("umask=") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+ if (strncmp(line, "rlimit_", sizeof("rlimit_") - 1) == 0) {
+ push(&user_info, line);
+ continue;
+ }
+
+ /* First argv entry is the command, the rest are args. */
+ if (strncmp(line, "argv=", sizeof("argv=") - 1) == 0) {
+ push(&argv, line);
+ continue;
+ }
+
+ /* Additional environment variables to add. */
+ if (strncmp(line, "env=", sizeof("env=") - 1) == 0) {
+ const char *cp = line + sizeof("env=") - 1;
+ if (strchr(cp, '=') != NULL)
+ push(&env_add, cp);
+ continue;
+ }
+
+ /* Treat anything else as a setting. */
+ push(&settings, line);
+ }
+ fclose(fp);
+ free(line);
+ line = NULL;
+
+ /* Exercise code paths that use KRB5CCNAME and SUDO_PROMPT. */
+ putenv((char *)"KRB5CCNAME=/tmp/krb5cc_123456");
+ putenv((char *)"SUDO_PROMPT=[sudo] password for %p: ");
+
+ sudoers_policy.register_hooks(SUDO_API_VERSION, fuzz_hook_stub);
+
+ for (pass = 1; res == 1 && pass <= num_passes; pass++) {
+ /* Call policy open function */
+ res = sudoers_policy.open(SUDO_API_VERSION, fuzz_conversation,
+ fuzz_printf, settings.entries, user_info.entries, environ,
+ plugin_args.entries, &errstr);
+ if (res == 1) {
+ if (argv.len == 0) {
+ /* Must have a command to check. */
+ push(&argv, "/usr/bin/id");
+ }
+
+ switch (pass) {
+ case PASS_NONE:
+ break;
+ case PASS_VERSION:
+ /* sudo -V */
+ sudoers_policy.show_version(true);
+ break;
+ case PASS_CHECK_LOG_LOCAL: {
+ /* sudo command w/ local I/O logging (MODE_RUN) */
+ sudoers_policy.check_policy((int)argv.len, argv.entries,
+ env_add.entries, &command_info, &argv_out, &user_env_out,
+ &errstr);
+ /* call check_policy() again to check for leaks. */
+ sudoers_policy.check_policy((int)argv.len, argv.entries,
+ env_add.entries, &command_info, &argv_out, &user_env_out,
+ &errstr);
+ /* sudo_auth_begin_session() is stubbed out below. */
+ sudoers_policy.init_session(NULL, NULL, NULL);
+ break;
+ }
+ case PASS_CHECK_LOG_REMOTE:
+ /* sudo command w/ remote I/O logging (MODE_RUN) */
+ sudoers_policy.check_policy((int)argv.len, argv.entries,
+ env_add.entries, &command_info, &argv_out, &user_env_out,
+ &errstr);
+ /* call check_policy() again to check for leaks. */
+ sudoers_policy.check_policy((int)argv.len, argv.entries,
+ env_add.entries, &command_info, &argv_out, &user_env_out,
+ &errstr);
+ /* sudo_auth_begin_session() is stubbed out below. */
+ sudoers_policy.init_session(NULL, NULL, NULL);
+ break;
+ case PASS_CHECK_NOT_FOUND:
+ /* sudo command (not found) */
+ sudoers_policy.check_policy((int)argv.len, argv.entries,
+ env_add.entries, &command_info, &argv_out, &user_env_out,
+ &errstr);
+ /* sudo_auth_begin_session() is stubbed out below. */
+ sudoers_policy.init_session(NULL, NULL, NULL);
+ break;
+ case PASS_CHECK_NOT_FOUND_DOT:
+ /* sudo command (found but in cwd) */
+ sudoers_policy.check_policy((int)argv.len, argv.entries,
+ env_add.entries, &command_info, &argv_out, &user_env_out,
+ &errstr);
+ /* call check_policy() again to check for leaks. */
+ sudoers_policy.check_policy((int)argv.len, argv.entries,
+ env_add.entries, &command_info, &argv_out, &user_env_out,
+ &errstr);
+ /* sudo_auth_begin_session() is stubbed out below. */
+ sudoers_policy.init_session(NULL, NULL, NULL);
+ break;
+ case PASS_LIST:
+ /* sudo -l (MODE_LIST) */
+ sudoers_policy.list(0, NULL, false, NULL, &errstr);
+ /* call list() again to check for leaks. */
+ sudoers_policy.list(0, NULL, false, NULL, &errstr);
+ break;
+ case PASS_LIST_OTHER:
+ /* sudo -l -U root (MODE_LIST) */
+ sudoers_policy.list(0, NULL, false, "root", &errstr);
+ /* call list() again to check for leaks. */
+ sudoers_policy.list(0, NULL, false, "root", &errstr);
+ break;
+ case PASS_LIST_CHECK:
+ /* sudo -l command (MODE_CHECK) */
+ sudoers_policy.list((int)argv.len, argv.entries, false, NULL,
+ &errstr);
+ /* call list() again to check for leaks. */
+ sudoers_policy.list((int)argv.len, argv.entries, false, NULL,
+ &errstr);
+ break;
+ case PASS_VALIDATE:
+ /* sudo -v (MODE_VALIDATE) */
+ sudoers_policy.validate(&errstr);
+ /* call validate() again to check for leaks. */
+ sudoers_policy.validate(&errstr);
+ break;
+ case PASS_INVALIDATE:
+ /* sudo -k */
+ sudoers_policy.invalidate(false);
+ /* call invalidate() again to check for leaks. */
+ sudoers_policy.invalidate(false);
+ break;
+ }
+ }
+
+ /* Free resources. */
+ if (sudoers_policy.close != NULL)
+ sudoers_policy.close(0, 0);
+ else
+ sudoers_cleanup();
+ }
+
+ sudoers_policy.deregister_hooks(SUDO_API_VERSION, fuzz_hook_stub);
+
+ free_dynamic_array(&plugin_args);
+ free_dynamic_array(&settings);
+ free_dynamic_array(&user_info);
+ free_dynamic_array(&argv);
+ free_dynamic_array(&env_add);
+
+ sudoers_debug_deregister();
+
+ fflush(stdout);
+
+ return 0;
+}
+
+/* STUB */
+bool
+user_is_exempt(const struct sudoers_context *ctx)
+{
+ return false;
+}
+
+/* STUB */
+bool
+set_interfaces(const char *ai)
+{
+ return true;
+}
+
+/* STUB */
+void
+dump_interfaces(const char *ai)
+{
+ return;
+}
+
+/* STUB */
+void
+dump_auth_methods(void)
+{
+ return;
+}
+
+/* STUB */
+int
+sudo_auth_begin_session(const struct sudoers_context *ctx, struct passwd *pw,
+ char **user_env[])
+{
+ return 1;
+}
+
+/* STUB */
+int
+sudo_auth_end_session(void)
+{
+ return 1;
+}
+
+/* STUB */
+bool
+sudo_auth_needs_end_session(void)
+{
+ return false;
+}
+
+/* STUB */
+int
+timestamp_remove(const struct sudoers_context *ctx, bool unlink_it)
+{
+ return true;
+}
+
+/* STUB */
+int
+create_admin_success_flag(const struct sudoers_context *ctx)
+{
+ return true;
+}
+
+/* STUB */
+static int
+sudo_file_open(struct sudoers_context *ctx, struct sudo_nss *nss)
+{
+ return 0;
+}
+
+/* STUB */
+static int
+sudo_file_close(struct sudoers_context *ctx, struct sudo_nss *nss)
+{
+ return 0;
+}
+
+/* STUB */
+static struct sudoers_parse_tree *
+sudo_file_parse(struct sudoers_context *ctx, const struct sudo_nss *nss)
+{
+ static struct sudoers_parse_tree parse_tree;
+
+ return &parse_tree;
+}
+
+/* STUB */
+static int
+sudo_file_query(struct sudoers_context *ctx, const struct sudo_nss *nss,
+ struct passwd *pw)
+{
+ return 0;
+}
+
+/* STUB */
+static int
+sudo_file_getdefs(struct sudoers_context *ctx, const struct sudo_nss *nss)
+{
+ /* Set some Defaults */
+ set_default(ctx, "log_input", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "log_output", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "env_file", "/dev/null", true, "sudoers", 1, 1, false);
+ set_default(ctx, "restricted_env_file", "/dev/null", true, "sudoers", 1, 1, false);
+ set_default(ctx, "exempt_group", "sudo", true, "sudoers", 1, 1, false);
+ set_default(ctx, "runchroot", "/", true, "sudoers", 1, 1, false);
+ set_default(ctx, "runcwd", "~", true, "sudoers", 1, 1, false);
+ set_default(ctx, "fqdn", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "runas_default", "root", true, "sudoers", 1, 1, false);
+ set_default(ctx, "tty_tickets", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "umask", "022", true, "sudoers", 1, 1, false);
+ set_default(ctx, "logfile", "/var/log/sudo", true, "sudoers", 1, 1, false);
+ set_default(ctx, "syslog", "auth", true, "sudoers", 1, 1, false);
+ set_default(ctx, "syslog_goodpri", "notice", true, "sudoers", 1, 1, false);
+ set_default(ctx, "syslog_badpri", "alert", true, "sudoers", 1, 1, false);
+ set_default(ctx, "syslog_maxlen", "2048", true, "sudoers", 1, 1, false);
+ set_default(ctx, "loglinelen", "0", true, "sudoers", 1, 1, false);
+ set_default(ctx, "log_year", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "log_host", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "mailerpath", NULL, false, "sudoers", 1, 1, false);
+ set_default(ctx, "mailerflags", "-t", true, "sudoers", 1, 1, false);
+ set_default(ctx, "mailto", "root@localhost", true, "sudoers", 1, 1, false);
+ set_default(ctx, "mailfrom", "sudo@sudo.ws", true, "sudoers", 1, 1, false);
+ set_default(ctx, "mailsub", "Someone has been naughty on %h", true, "sudoers", 1, 1, false);
+ set_default(ctx, "timestampowner", "#0", true, "sudoers", 1, 1, false);
+ set_default(ctx, "compress_io", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "iolog_flush", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "iolog_flush", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "maxseq", "2176782336", true, "sudoers", 1, 1, false);
+ set_default(ctx, "sudoedit_checkdir", NULL, false, "sudoers", 1, 1, false);
+ set_default(ctx, "sudoedit_follow", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "ignore_iolog_errors", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "ignore_iolog_errors", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "noexec", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "exec_background", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "use_pty", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "utmp_runas", NULL, true, "sudoers", 1, 1, false);
+ set_default(ctx, "iolog_mode", "0640", true, "sudoers", 1, 1, false);
+ set_default(ctx, "iolog_user", NULL, false, "sudoers", 1, 1, false);
+ set_default(ctx, "iolog_group", NULL, false, "sudoers", 1, 1, false);
+ if (pass != PASS_CHECK_LOG_LOCAL) {
+ set_default(ctx, "log_servers", "localhost", true, "sudoers", 1, 1, false);
+ set_default(ctx, "log_server_timeout", "30", true, "sudoers", 1, 1, false);
+ set_default(ctx, "log_server_cabundle", "/etc/ssl/cacert.pem", true, "sudoers", 1, 1, false);
+ set_default(ctx, "log_server_peer_cert", "/etc/ssl/localhost.crt", true, "sudoers", 1, 1, false);
+ set_default(ctx, "log_server_peer_key", "/etc/ssl/private/localhost.key", true, "sudoers", 1, 1, false);
+ }
+
+ return 0;
+}
+
+static struct sudo_nss sudo_nss_file = {
+ { NULL, NULL },
+ "sudoers",
+ sudo_file_open,
+ sudo_file_close,
+ sudo_file_parse,
+ sudo_file_query,
+ sudo_file_getdefs
+};
+
+struct sudo_nss_list *
+sudo_read_nss(void)
+{
+ static struct sudo_nss_list snl = TAILQ_HEAD_INITIALIZER(snl);
+
+ if (TAILQ_EMPTY(&snl))
+ TAILQ_INSERT_TAIL(&snl, &sudo_nss_file, entries);
+
+ return &snl;
+}
+
+/* STUB */
+int
+check_user(struct sudoers_context *ctx, unsigned int validated,
+ unsigned int mode)
+{
+ return AUTH_SUCCESS;
+}
+
+/* STUB */
+int
+check_user_runchroot(const char *runchroot)
+{
+ return true;
+}
+
+/* STUB */
+int
+check_user_runcwd(const char *runcwd)
+{
+ return true;
+}
+
+/* STUB */
+void
+group_plugin_unload(void)
+{
+ return;
+}
+
+/* STUB */
+bool
+log_warning(const struct sudoers_context *ctx, unsigned int flags,
+ const char * restrict fmt, ...)
+{
+ return true;
+}
+
+/* STUB */
+bool
+log_warningx(const struct sudoers_context *ctx, unsigned int flags,
+ const char * restrict fmt, ...)
+{
+ return true;
+}
+
+/* STUB */
+bool
+gai_log_warning(const struct sudoers_context *ctx, unsigned int flags,
+ int errnum, const char * restrict fmt, ...)
+{
+ return true;
+}
+
+/* STUB */
+bool
+log_denial(const struct sudoers_context *ctx, unsigned int status,
+ bool inform_user)
+{
+ return true;
+}
+
+/* STUB */
+bool
+log_failure(const struct sudoers_context *ctx,unsigned int status, int flags)
+{
+ return true;
+}
+
+/* STUB */
+bool
+log_exit_status(const struct sudoers_context *ctx, int exit_status)
+{
+ return true;
+}
+
+/* STUB */
+bool
+mail_parse_errors(const struct sudoers_context *ctx)
+{
+ return true;
+}
+
+/* STUB */
+bool
+log_parse_error(const struct sudoers_context *ctx, const char *file,
+ int line, int column, const char * restrict fmt, va_list args)
+{
+ return true;
+}
+
+/* STUB */
+int
+audit_failure(const struct sudoers_context *ctx, char *const argv[],
+ char const * restrict const fmt, ...)
+{
+ return 0;
+}
+
+/* STUB */
+unsigned int
+sudoers_lookup(struct sudo_nss_list *snl, struct sudoers_context *ctx,
+ time_t now, sudoers_lookup_callback_fn_t callback, void *cb_data,
+ int *cmnd_status, int pwflag)
+{
+ return VALIDATE_SUCCESS;
+}
+
+/* STUB */
+int
+display_cmnd(struct sudoers_context *ctx, const struct sudo_nss_list *snl,
+ struct passwd *pw, int verbose)
+{
+ return true;
+}
+
+/* STUB */
+int
+display_privs(struct sudoers_context *ctx, const struct sudo_nss_list *snl,
+ struct passwd *pw, int verbose)
+{
+ return true;
+}
+
+/* STUB */
+int
+find_path(const char *infile, char **outfile, struct stat *sbp,
+ const char *path, bool ignore_dot, char * const *allowlist)
+{
+ switch (pass) {
+ case PASS_CHECK_NOT_FOUND:
+ return NOT_FOUND;
+ case PASS_CHECK_NOT_FOUND_DOT:
+ return NOT_FOUND_DOT;
+ default:
+ if (infile[0] == '/') {
+ *outfile = strdup(infile);
+ } else {
+ if (asprintf(outfile, "/usr/bin/%s", infile) == -1)
+ *outfile = NULL;
+ }
+ if (*outfile == NULL)
+ return NOT_FOUND_ERROR;
+ return FOUND;
+ }
+}
+
+/* STUB */
+int
+resolve_cmnd(struct sudoers_context *ctx, const char *infile, char **outfile,
+ const char *path)
+{
+ return find_path(infile, outfile, NULL, path, false, NULL);
+}
+
+/* STUB */
+bool
+expand_iolog_path(const char *inpath, char *path, size_t pathlen,
+ const struct iolog_path_escape *escapes, void *closure)
+{
+ return strlcpy(path, inpath, pathlen) < pathlen;
+}
+
+/* STUB */
+bool
+iolog_nextid(const char *iolog_dir, char sessid[7])
+{
+ strlcpy(sessid, "000001", 7);
+ return true;
+}
+
+/* STUB */
+bool
+cb_maxseq(struct sudoers_context *ctx, const char *file,
+ int line, int column, const union sudo_defs_val *sd_un, int op)
+{
+ return true;
+}
+
+/* STUB */
+bool
+cb_iolog_user(struct sudoers_context *ctx, const char *file,
+ int line, int column, const union sudo_defs_val *sd_un, int op)
+{
+ return true;
+}
+
+/* STUB */
+bool
+cb_iolog_group(struct sudoers_context *ctx, const char *file,
+ int line, int column, const union sudo_defs_val *sd_un, int op)
+{
+ return true;
+}
+
+/* STUB */
+bool
+cb_iolog_mode(struct sudoers_context *ctx, const char *file,
+ int line, int column, const union sudo_defs_val *sd_un, int op)
+{
+ return true;
+}
+
+/* STUB */
+bool
+cb_group_plugin(struct sudoers_context *ctx, const char *file,
+ int line, int column, const union sudo_defs_val *sd_un, int op)
+{
+ return true;
+}
+
+/* STUB */
+bool
+cb_timestampowner(struct sudoers_context *ctx, const char *file,
+ int line, int column, const union sudo_defs_val *sd_un, int op)
+{
+ return true;
+}
+
+/* STUB */
+void
+bsdauth_set_style(const char *style)
+{
+ return;
+}
diff --git a/plugins/sudoers/regress/fuzz/fuzz_policy.dict b/plugins/sudoers/regress/fuzz/fuzz_policy.dict
new file mode 100644
index 0000000..d00aeae
--- /dev/null
+++ b/plugins/sudoers/regress/fuzz/fuzz_policy.dict
@@ -0,0 +1,56 @@
+# Policy plugin keywords (all are keyword = value)
+
+# sudoers plugin options from sudo.conf
+"error_recovery"
+"sudoers_file"
+"sudoers_uid"
+"sudoers_gid"
+"sudoers_mode"
+"ldap_conf"
+"ldap_secret"
+
+# command line settings from front-end
+"closefrom"
+"cmnd_chroot"
+"cmnd_cwd"
+"runas_user"
+"runas_group"
+"prompt"
+"set_home"
+"preserve_environment"
+"run_shell"
+"login_shell"
+"implied_shell"
+"preserve_groups"
+"ignore_ticket"
+"update_ticket"
+"noninteractive"
+"sudoedit"
+"login_class"
+"intercept_setid"
+"intercept_ptrace"
+"selinux_role"
+"selinux_type"
+"apparmor_profile"
+"bsdauth_type"
+"network_addrs"
+"max_groups"
+"remote_host"
+"timeout"
+"askpass"
+"plugin_dir"
+"progname"
+
+# user information from front-end
+"user"
+"uid"
+"gid"
+"groups"
+"cwd"
+"tty"
+"host"
+"lines"
+"cols"
+"sid"
+"tcpgid"
+"umask"
diff --git a/plugins/sudoers/regress/fuzz/fuzz_stubs.c b/plugins/sudoers/regress/fuzz/fuzz_stubs.c
new file mode 100644
index 0000000..ce47bf5
--- /dev/null
+++ b/plugins/sudoers/regress/fuzz/fuzz_stubs.c
@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/socket.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <unistd.h>
+#if defined(HAVE_STDINT_H)
+# include <stdint.h>
+#elif defined(HAVE_INTTYPES_H)
+# include <inttypes.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#ifdef NEED_RESOLV_H
+# include <arpa/nameser.h>
+# include <resolv.h>
+#endif /* NEED_RESOLV_H */
+#include <netdb.h>
+
+#include <sudoers.h>
+#include <timestamp.h>
+#include <interfaces.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+struct interface_list *
+get_interfaces(void)
+{
+ static struct interface_list empty = SLIST_HEAD_INITIALIZER(interfaces);
+ return &empty;
+}
+
+void
+init_eventlog_config(void)
+{
+ return;
+}
+
+bool
+pivot_root(const char *new_root, struct sudoers_pivot *state)
+{
+ return true;
+}
+
+bool
+unpivot_root(struct sudoers_pivot *state)
+{
+ return true;
+}
+
+int
+group_plugin_query(const char *user, const char *group, const struct passwd *pw)
+{
+ return false;
+}
+
+bool
+set_perms(const struct sudoers_context *ctx, int perm)
+{
+ return true;
+}
+
+bool
+restore_perms(void)
+{
+ return true;
+}
+
+bool
+rewind_perms(void)
+{
+ return true;
+}
+
+bool
+sudo_nss_can_continue(const struct sudo_nss *nss, int match)
+{
+ return true;
+}
diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers.c b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
new file mode 100644
index 0000000..e77634a
--- /dev/null
+++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
@@ -0,0 +1,419 @@
+/*
+ * Copyright (c) 2021-2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/socket.h>
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <unistd.h>
+#if defined(HAVE_STDINT_H)
+# include <stdint.h>
+#elif defined(HAVE_INTTYPES_H)
+# include <inttypes.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#ifdef NEED_RESOLV_H
+# include <arpa/nameser.h>
+# include <resolv.h>
+#endif /* NEED_RESOLV_H */
+#include <netdb.h>
+
+#include <sudoers.h>
+#include <interfaces.h>
+
+static int fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[], struct sudo_conv_reply replies[], struct sudo_conv_callback *callback);
+static int fuzz_printf(int msg_type, const char * restrict fmt, ...);
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+/* For set_cmnd_path() */
+static const char *orig_cmnd;
+
+/* Required to link with parser. */
+sudo_conv_t sudo_conv = fuzz_conversation;
+sudo_printf_t sudo_printf = fuzz_printf;
+
+FILE *
+open_sudoers(const char *file, char **outfile, bool doedit, bool *keepopen)
+{
+ /*
+ * If we allow the fuzzer to choose include paths it will
+ * include random files in the file system.
+ * This leads to bug reports that cannot be reproduced.
+ */
+ return NULL;
+}
+
+static int
+fuzz_printf(int msg_type, const char * restrict fmt, ...)
+{
+ return 0;
+}
+
+static int
+fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[],
+ struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
+{
+ int n;
+
+ for (n = 0; n < num_msgs; n++) {
+ const struct sudo_conv_message *msg = &msgs[n];
+
+ switch (msg->msg_type & 0xff) {
+ case SUDO_CONV_PROMPT_ECHO_ON:
+ case SUDO_CONV_PROMPT_MASK:
+ case SUDO_CONV_PROMPT_ECHO_OFF:
+ /* input not supported */
+ return -1;
+ case SUDO_CONV_ERROR_MSG:
+ case SUDO_CONV_INFO_MSG:
+ /* no output for fuzzers */
+ break;
+ default:
+ return -1;
+ }
+ }
+ return 0;
+}
+
+bool
+init_envtables(void)
+{
+ return true;
+}
+
+int
+set_cmnd_path(struct sudoers_context *ctx, const char *runchroot)
+{
+ /* Reallocate ctx->user.cmnd to catch bugs in command_matches(). */
+ char *new_cmnd = strdup(orig_cmnd);
+ if (new_cmnd == NULL)
+ return NOT_FOUND_ERROR;
+ free(ctx->user.cmnd);
+ ctx->user.cmnd = new_cmnd;
+ return FOUND;
+}
+
+/* STUB */
+bool
+mail_parse_errors(const struct sudoers_context *ctx)
+{
+ return true;
+}
+
+/* STUB */
+bool
+log_warningx(const struct sudoers_context *ctx, unsigned int flags,
+ const char * restrict fmt, ...)
+{
+ return true;
+}
+
+static int
+sudo_fuzz_query(struct sudoers_context *ctx, const struct sudo_nss *nss,
+ struct passwd *pw)
+{
+ return 0;
+}
+
+static int
+cb_unused(struct sudoers_parse_tree *parse_tree, struct alias *a, void *v)
+{
+ return 0;
+}
+
+bool
+cb_log_input(struct sudoers_context *ctx, const char *file,
+ int line, int column, const union sudo_defs_val *sd_un, int op)
+{
+ return 0;
+}
+
+bool
+cb_log_output(struct sudoers_context *ctx, const char *file,
+ int line, int column, const union sudo_defs_val *sd_un, int op)
+{
+ return 0;
+}
+
+static FILE *
+open_data(const uint8_t *data, size_t size)
+{
+#ifdef HAVE_FMEMOPEN
+ /* Operate in-memory. */
+ return fmemopen((void *)data, size, "r");
+#else
+ char tempfile[] = "/tmp/sudoers.XXXXXX";
+ size_t nwritten;
+ int fd;
+
+ /* Use (unlinked) temporary file. */
+ fd = mkstemp(tempfile);
+ if (fd == -1)
+ return NULL;
+ unlink(tempfile);
+ nwritten = write(fd, data, size);
+ if (nwritten != size) {
+ close(fd);
+ return NULL;
+ }
+ lseek(fd, 0, SEEK_SET);
+ return fdopen(fd, "r");
+#endif
+}
+
+static struct user_data {
+ const char *user;
+ const char *runuser;
+ const char *rungroup;
+} user_data[] = {
+ { "root", NULL, NULL },
+ { "millert", "operator", NULL },
+ { "millert", NULL, "wheel" },
+ { "operator", NULL, NULL },
+ { NULL }
+};
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+ struct sudoers_context ctx = { { NULL } };
+ struct user_data *ud;
+ struct sudo_nss sudo_nss_fuzz;
+ struct sudo_nss_list snl = TAILQ_HEAD_INITIALIZER(snl);
+ struct sudoers_parse_tree parse_tree;
+ struct interface_list *interfaces;
+ struct passwd *pw;
+ struct group *gr;
+ const char *gids[10];
+ time_t now;
+ FILE *fp;
+
+ /* Don't waste time fuzzing tiny inputs. */
+ if (size < 5)
+ return 0;
+
+ fp = open_data(data, size);
+ if (fp == NULL)
+ return 0;
+
+ initprogname("fuzz_sudoers");
+ sudoers_debug_register(getprogname(), NULL);
+ if (getenv("SUDO_FUZZ_VERBOSE") == NULL)
+ sudo_warn_set_conversation(fuzz_conversation);
+
+ /* Sudoers locale setup. */
+ sudoers_initlocale(setlocale(LC_ALL, ""), "C");
+ sudo_warn_set_locale_func(sudoers_warn_setlocale);
+ bindtextdomain("sudoers", LOCALEDIR);
+ textdomain("sudoers");
+
+ /* Use the sudoers locale for everything. */
+ sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, NULL);
+
+ /* Prime the group cache */
+ gr = sudo_mkgrent("wheel", 0, "millert", "root", (char *)NULL);
+ if (gr == NULL)
+ goto done;
+ sudo_gr_delref(gr);
+
+ gr = sudo_mkgrent("operator", 5, "operator", "root", "millert", (char *)NULL);
+ if (gr == NULL)
+ goto done;
+ sudo_gr_delref(gr);
+
+ gr = sudo_mkgrent("staff", 20, "root", "millert", (char *)NULL);
+ if (gr == NULL)
+ goto done;
+ sudo_gr_delref(gr);
+
+ gr = sudo_mkgrent("sudo", 100, "root", "millert", (char *)NULL);
+ if (gr == NULL)
+ goto done;
+ sudo_gr_delref(gr);
+
+ /* Prime the passwd cache */
+ pw = sudo_mkpwent("root", 0, 0, "/", "/bin/sh");
+ if (pw == NULL)
+ goto done;
+ gids[0] = "0";
+ gids[1] = "20";
+ gids[2] = "5";
+ gids[3] = NULL;
+ if (sudo_set_gidlist(pw, -1, NULL, (char **)gids, ENTRY_TYPE_FRONTEND) == -1)
+ goto done;
+ sudo_pw_delref(pw);
+
+ pw = sudo_mkpwent("operator", 2, 5, "/operator", "/sbin/nologin");
+ if (pw == NULL)
+ goto done;
+ gids[0] = "5";
+ gids[1] = NULL;
+ if (sudo_set_gidlist(pw, -1, NULL, (char **)gids, ENTRY_TYPE_FRONTEND) == -1)
+ goto done;
+ sudo_pw_delref(pw);
+
+ pw = sudo_mkpwent("millert", 8036, 20, "/home/millert", "/bin/tcsh");
+ if (pw == NULL)
+ goto done;
+ gids[0] = "0";
+ gids[1] = "20";
+ gids[2] = "5";
+ gids[3] = "100";
+ gids[4] = NULL;
+ if (sudo_set_gidlist(pw, -1, NULL, (char **)gids, ENTRY_TYPE_FRONTEND) == -1)
+ goto done;
+ sudo_pw_delref(pw);
+
+ /* The minimum needed to perform matching. */
+ ctx.user.host = ctx.user.shost = strdup("localhost");
+ ctx.runas.host = ctx.runas.shost = strdup("localhost");
+ orig_cmnd = (char *)"/usr/bin/id";
+ ctx.user.cmnd = strdup(orig_cmnd);
+ ctx.user.cmnd_args = strdup("-u");
+ if (ctx.user.host == NULL || ctx.runas.host == NULL ||
+ ctx.user.cmnd == NULL || ctx.user.cmnd_args == NULL)
+ goto done;
+ ctx.user.cmnd_base = sudo_basename(ctx.user.cmnd);
+ time(&now);
+
+ /* Add a fake network interfaces. */
+ interfaces = get_interfaces();
+ if (SLIST_EMPTY(interfaces)) {
+ static struct interface interface;
+
+ interface.family = AF_INET;
+ inet_pton(AF_INET, "128.138.243.151", &interface.addr.ip4);
+ inet_pton(AF_INET, "255.255.255.0", &interface.netmask.ip4);
+ SLIST_INSERT_HEAD(interfaces, &interface, entries);
+ }
+
+ /* Only one sudoers source, the sudoers file itself. */
+ init_parse_tree(&parse_tree, NULL, NULL, &ctx, NULL);
+ memset(&sudo_nss_fuzz, 0, sizeof(sudo_nss_fuzz));
+ sudo_nss_fuzz.parse_tree = &parse_tree;
+ sudo_nss_fuzz.query = sudo_fuzz_query;
+ TAILQ_INSERT_TAIL(&snl, &sudo_nss_fuzz, entries);
+
+ /* Initialize defaults and parse sudoers. */
+ init_defaults();
+ init_parser(&ctx, "sudoers");
+ sudoersrestart(fp);
+ sudoersparse();
+ reparent_parse_tree(&parse_tree);
+
+ if (!parse_error) {
+ /* Match user/host/command against parsed policy. */
+ for (ud = user_data; ud->user != NULL; ud++) {
+ int cmnd_status;
+
+ /* Invoking user. */
+ free(ctx.user.name);
+ ctx.user.name = strdup(ud->user);
+ if (ctx.user.name == NULL)
+ goto done;
+ if (ctx.user.pw != NULL)
+ sudo_pw_delref(ctx.user.pw);
+ ctx.user.pw = sudo_getpwnam(ctx.user.name);
+ if (ctx.user.pw == NULL) {
+ sudo_warnx_nodebug("unknown user %s", ctx.user.name);
+ continue;
+ }
+
+ /* Run user. */
+ if (ctx.runas.pw != NULL)
+ sudo_pw_delref(ctx.runas.pw);
+ if (ud->runuser != NULL) {
+ ctx.runas.user = (char *)ud->runuser;
+ SET(ctx.settings.flags, RUNAS_USER_SPECIFIED);
+ ctx.runas.pw = sudo_getpwnam(ctx.runas.user);
+ } else {
+ ctx.runas.user = NULL;
+ CLR(ctx.settings.flags, RUNAS_USER_SPECIFIED);
+ ctx.runas.pw = sudo_getpwnam("root");
+ }
+ if (ctx.runas.pw == NULL) {
+ sudo_warnx_nodebug("unknown run user %s", ctx.runas.user);
+ continue;
+ }
+
+ /* Run group. */
+ if (ctx.runas.gr != NULL)
+ sudo_gr_delref(ctx.runas.gr);
+ if (ud->rungroup != NULL) {
+ ctx.runas.group = (char *)ud->rungroup;
+ SET(ctx.settings.flags, RUNAS_GROUP_SPECIFIED);
+ ctx.runas.gr = sudo_getgrnam(ctx.runas.group);
+ if (ctx.runas.gr == NULL) {
+ sudo_warnx_nodebug("unknown run group %s",
+ ctx.runas.group);
+ continue;
+ }
+ } else {
+ ctx.runas.group = NULL;
+ CLR(ctx.settings.flags, RUNAS_GROUP_SPECIFIED);
+ ctx.runas.gr = NULL;
+ }
+
+ update_defaults(&ctx, &parse_tree, NULL, SETDEF_ALL, false);
+
+ sudoers_lookup(&snl, &ctx, now, NULL, NULL, &cmnd_status,
+ false);
+
+ /* Match again as a pseudo-command (list, validate, etc). */
+ sudoers_lookup(&snl, &ctx, now, NULL, NULL, &cmnd_status,
+ true);
+
+ /* Display privileges. */
+ display_privs(&ctx, &snl, ctx.user.pw, false);
+ display_privs(&ctx, &snl, ctx.user.pw, true);
+ }
+
+ /* Expand tildes in runcwd and runchroot. */
+ if (ctx.runas.pw != NULL) {
+ if (def_runcwd != NULL && strcmp(def_runcwd, "*") != 0) {
+ expand_tilde(&def_runcwd, ctx.runas.pw->pw_name);
+ }
+ if (def_runchroot != NULL && strcmp(def_runchroot, "*") != 0) {
+ expand_tilde(&def_runchroot, ctx.runas.pw->pw_name);
+ }
+ }
+
+ /* Check Defaults and aliases. */
+ check_defaults(&parse_tree, false);
+ check_aliases(&parse_tree, true, false, cb_unused);
+ }
+
+done:
+ /* Cleanup. */
+ fclose(fp);
+ free_parse_tree(&parse_tree);
+ reset_parser();
+ sudoers_ctx_free(&ctx);
+ sudo_freepwcache();
+ sudo_freegrcache();
+ sudoers_setlocale(SUDOERS_LOCALE_USER, NULL);
+ sudoers_debug_deregister();
+ fflush(stdout);
+
+ return 0;
+}
diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers.dict b/plugins/sudoers/regress/fuzz/fuzz_sudoers.dict
new file mode 100644
index 0000000..101e002
--- /dev/null
+++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers.dict
@@ -0,0 +1,221 @@
+# Sudoers policy keywords (all are keyword = value)
+
+# Users and groups
+"root"
+"wheel"
+"staff"
+"sudo"
+
+# Aliases
+"Cmnd_Alias"
+"Cmd_Alias"
+"Host_Alias"
+"Runas_Alias"
+"User_Alias"
+
+# Special keywords
+"ALL"
+"(ALL:ALL)"
+"sudoedit"
+
+# Date_Spec
+"20170214083000Z"
+"2017021408Z"
+"20160315220000-0500"
+"20151201235900"
+
+# Timeout_Spec
+"7d8h30m10s"
+"14d"
+"8h30m"
+"600s"
+"3600"
+
+# Command digests
+"sha224:"
+"sha256:"
+"sha384:"
+"sha512:"
+
+# Command tags
+"NOPASSWD"
+"PASSWD"
+"NOEXEC"
+"EXEC"
+"SETENV"
+"NOSETENV"
+"LOG_INPUT"
+"NOLOG_INPUT"
+"LOG_OUTPUT"
+"NOLOG_OUTPUT"
+"FOLLOWLNK"
+"NOFOLLOWLNK"
+"MAIL"
+"NOMAIL"
+
+# Command options
+"CHROOT"
+"CWD"
+"CMND_TIMEOUT"
+"NOTBEFORE"
+"NOTAFTER"
+"ROLE"
+"TYPE"
+"APPARMOR_PROFILE"
+"PRIVS"
+"LIMITPRIVS"
+
+# Defaults settings
+"Defaults"
+"syslog"
+"syslog_goodpri"
+"syslog_badpri"
+"long_otp_prompt"
+"ignore_dot"
+"mail_always"
+"mail_badpass"
+"mail_no_user"
+"mail_no_host"
+"mail_no_perms"
+"mail_all_cmnds"
+"tty_tickets"
+"lecture"
+"lecture_file"
+"authenticate"
+"root_sudo"
+"log_host"
+"log_year"
+"shell_noargs"
+"set_home"
+"always_set_home"
+"path_info"
+"fqdn"
+"insults"
+"requiretty"
+"env_editor"
+"rootpw"
+"runaspw"
+"targetpw"
+"use_loginclass"
+"set_logname"
+"stay_setuid"
+"preserve_groups"
+"loglinelen"
+"timestamp_timeout"
+"passwd_timeout"
+"passwd_tries"
+"umask"
+"logfile"
+"mailerpath"
+"mailerflags"
+"mailto"
+"mailfrom"
+"mailsub"
+"badpass_message"
+"lecture_status_dir"
+"timestampdir"
+"timestampowner"
+"exempt_group"
+"passprompt"
+"passprompt_override"
+"runas_default"
+"secure_path"
+"editor"
+"listpw"
+"verifypw"
+"noexec"
+"ignore_local_sudoers"
+"closefrom"
+"closefrom_override"
+"setenv"
+"env_reset"
+"env_check"
+"env_delete"
+"env_keep"
+"role"
+"type"
+"apparmor_profile"
+"env_file"
+"restricted_env_file"
+"sudoers_locale"
+"visiblepw"
+"pwfeedback"
+"fast_glob"
+"umask_override"
+"log_input"
+"log_output"
+"compress_io"
+"use_pty"
+"group_plugin"
+"iolog_dir"
+"iolog_file"
+"set_utmp"
+"utmp_runas"
+"privs"
+"limitprivs"
+"exec_background"
+"pam_service"
+"pam_login_service"
+"pam_setcred"
+"pam_session"
+"pam_acct_mgmt"
+"maxseq"
+"use_netgroups"
+"sudoedit_checkdir"
+"sudoedit_follow"
+"always_query_group_plugin"
+"netgroup_tuple"
+"ignore_audit_errors"
+"ignore_iolog_errors"
+"ignore_logfile_errors"
+"match_group_by_gid"
+"syslog_maxlen"
+"iolog_user"
+"iolog_group"
+"iolog_mode"
+"fdexec"
+"ignore_unknown_defaults"
+"command_timeout"
+"user_command_timeouts"
+"iolog_flush"
+"syslog_pid"
+"timestamp_type"
+"authfail_message"
+"case_insensitive_user"
+"case_insensitive_group"
+"log_allowed"
+"log_denied"
+"log_servers"
+"log_server_timeout"
+"log_server_keepalive"
+"log_server_cabundle"
+"log_server_peer_cert"
+"log_server_peer_key"
+"log_server_verify"
+"runas_allow_unknown_id"
+"runas_check_shell"
+"pam_ruser"
+"pam_rhost"
+"runcwd"
+"runchroot"
+"log_format"
+"selinux"
+"admin_flag"
+"intercept"
+"log_subcmds"
+"log_exit_status"
+"intercept_authenticate"
+"intercept_allow_setid"
+"rlimit_as"
+"rlimit_core"
+"rlimit_cpu"
+"rlimit_data"
+"rlimit_fsize"
+"rlimit_locks"
+"rlimit_memlock"
+"rlimit_nofile"
+"rlimit_nproc"
+"rlimit_rss"
+"rlimit_stack"
+"log_passwords"
+"passprompt_regex"
diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok b/plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok
new file mode 100644
index 0000000..11f2ca8
--- /dev/null
+++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers.out.ok
@@ -0,0 +1,577 @@
+Running: examples/sudoers
+Matching Defaults entries for root on localhost:
+ syslog=auth, runcwd=~
+
+Runas and Command-specific defaults for root:
+ Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
+
+
+User root may run the following commands on localhost:
+ (ALL) ALL
+ (ALL) ALL
+
+Matching Defaults entries for root on localhost:
+ syslog=auth, runcwd=~
+
+Runas and Command-specific defaults for root:
+ Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
+
+
+User root may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: ALL
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: ALL
+ Commands:
+ ALL
+
+Matching Defaults entries for millert on localhost:
+ syslog=auth, runcwd=~, !lecture, runchroot=*, !authenticate
+
+Runas and Command-specific defaults for millert:
+ Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
+
+
+User millert may run the following commands on localhost:
+ (ALL) ALL
+ (root) NOPASSWD: ALL
+
+Matching Defaults entries for millert on localhost:
+ syslog=auth, runcwd=~, !lecture, runchroot=*, !authenticate
+
+Runas and Command-specific defaults for millert:
+ Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
+
+
+User millert may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: ALL
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: root
+ Options: !authenticate
+ Commands:
+ ALL
+
+Matching Defaults entries for millert on localhost:
+ syslog=auth, runcwd=~, !lecture, runchroot=*, !authenticate
+
+Runas and Command-specific defaults for millert:
+ Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
+
+
+User millert may run the following commands on localhost:
+ (ALL) ALL
+ (root) NOPASSWD: ALL
+
+Matching Defaults entries for millert on localhost:
+ syslog=auth, runcwd=~, !lecture, runchroot=*, !authenticate
+
+Runas and Command-specific defaults for millert:
+ Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
+
+
+User millert may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: ALL
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: root
+ Options: !authenticate
+ Commands:
+ ALL
+
+Matching Defaults entries for operator on localhost:
+ syslog=auth, runcwd=~
+
+Runas and Command-specific defaults for operator:
+ Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
+
+
+User operator may run the following commands on localhost:
+ (root) /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, /usr/sbin/rrestore, /usr/bin/mt, sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== /home/operator/bin/start_backups, /usr/bin/kill, /usr/bin/top, /usr/sbin/shutdown, /usr/sbin/halt, /usr/sbin/reboot, /usr/sbin/lpc, /usr/bin/lprm, sudoedit /etc/printcap, /usr/oper/bin/
+
+Matching Defaults entries for operator on localhost:
+ syslog=auth, runcwd=~
+
+Runas and Command-specific defaults for operator:
+ Defaults>root !set_logname Defaults!/usr/bin/more, /usr/bin/pg, /usr/bin/less noexec
+
+
+User operator may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ /usr/sbin/dump
+ /usr/sbin/rdump
+ /usr/sbin/restore
+ /usr/sbin/rrestore
+ /usr/bin/mt
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== /home/operator/bin/start_backups
+ /usr/bin/kill
+ /usr/bin/top
+ /usr/sbin/shutdown
+ /usr/sbin/halt
+ /usr/sbin/reboot
+ /usr/sbin/lpc
+ /usr/bin/lprm
+ sudoedit /etc/printcap
+ /usr/oper/bin/
+
+Executed examples/sudoers
+Running: regress/sudoers/test1.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test1.in
+Running: regress/sudoers/test2.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test2.in
+Running: regress/sudoers/test3.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test3.in
+Running: regress/sudoers/test4.in
+sudoers:7:1: invalid line continuation
+User_Alias BAR = bar
+^~~~~~~~~~
+Executed regress/sudoers/test4.in
+Running: regress/sudoers/test5.in
+sudoers:2:19: empty string
+User_Alias FOO = ""
+ ^
+sudoers:3:2: empty string
+"" ALL = ALL
+ ^
+Executed regress/sudoers/test5.in
+Running: regress/sudoers/test6.in
+Runas and Command-specific defaults for root:
+ Defaults>#123 set_home
+ Defaults>#123 set_home
+
+
+User root may run the following commands on localhost:
+ (root) ALL
+ (#0 : #0) ALL
+ (root) ALL
+ (#0 : #0) ALL
+ (root) ALL
+ (root) ALL
+
+Runas and Command-specific defaults for root:
+ Defaults>#123 set_home
+ Defaults>#123 set_home
+
+
+User root may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: #0
+ RunAsGroups: #0
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: #0
+ RunAsGroups: #0
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ ALL
+
+Runas and Command-specific defaults for millert:
+ Defaults>#123 set_home
+ Defaults>#123 set_home
+
+
+User millert may run the following commands on localhost:
+ (root) ALL
+ (root) ALL
+
+Runas and Command-specific defaults for millert:
+ Defaults>#123 set_home
+ Defaults>#123 set_home
+
+
+User millert may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ ALL
+
+Runas and Command-specific defaults for millert:
+ Defaults>#123 set_home
+ Defaults>#123 set_home
+
+
+User millert may run the following commands on localhost:
+ (root) ALL
+ (root) ALL
+
+Runas and Command-specific defaults for millert:
+ Defaults>#123 set_home
+ Defaults>#123 set_home
+
+
+User millert may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ ALL
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ ALL
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test6.in
+Running: regress/sudoers/test7.in
+sudoers:2:21: empty group
+User_Alias FOO1 = "%"
+ ^
+sudoers:3:22: empty group
+User_Alias FOO2 = "%:"
+ ^
+sudoers:4:21: empty netgroup
+User_Alias FOO3 = "+"
+ ^
+sudoers:5:19: empty group
+User_Alias FOO4 = %
+ ^
+sudoers:6:19: empty group
+User_Alias FOO5 = %:
+ ^~
+sudoers:7:19: empty netgroup
+User_Alias FOO6 = +
+ ^
+Executed regress/sudoers/test7.in
+Running: regress/sudoers/test8.in
+sudoers:8:20: unexpected line break in string
+User_Alias UA4 = "x
+ ^
+Executed regress/sudoers/test8.in
+Running: regress/sudoers/test9.in
+Executed regress/sudoers/test9.in
+Running: regress/sudoers/test10.in
+Executed regress/sudoers/test10.in
+Running: regress/sudoers/test11.in
+sudoers:1:6: syntax error
+bogus
+ ^
+Executed regress/sudoers/test11.in
+Running: regress/sudoers/test12.in
+sudoers:1:17: syntax error
+user ALL = (ALL)
+ ^
+Executed regress/sudoers/test12.in
+Running: regress/sudoers/test13.in
+sudoers:1:17: syntax error
+user ALL = (ALL)
+ ^
+Executed regress/sudoers/test13.in
+Running: regress/sudoers/test14.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert may run the following commands on localhost:
+ (root) sha224:d06a2617c98d377c250edd470fd5e576327748d82915d6e33b5f8db1, sha224:d7910e1967342b4605cb73a550944044c631cd3514001900966962ac /bin/ls, sha256:hOtoe/iK6SlGg7w4BfZBBdSsXjUmTJ5+ts51yjh7vkM=, sha256:1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4= /bin/sh, sha512:srzYEQ2aqzm+it3f74opTMkIImZRLxBARVpb0g9RSouJYdLt7DTRMEY4Ry9NyaOiDoUIplpNjqYH0JMYPVdFnw /bin/kill
+
+User millert may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ sha224:d06a2617c98d377c250edd470fd5e576327748d82915d6e33b5f8db1, sha224:d7910e1967342b4605cb73a550944044c631cd3514001900966962ac /bin/ls
+ sha256:hOtoe/iK6SlGg7w4BfZBBdSsXjUmTJ5+ts51yjh7vkM=, sha256:1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4= /bin/sh
+ sha512:srzYEQ2aqzm+it3f74opTMkIImZRLxBARVpb0g9RSouJYdLt7DTRMEY4Ry9NyaOiDoUIplpNjqYH0JMYPVdFnw /bin/kill
+
+User millert may run the following commands on localhost:
+ (root) sha224:d06a2617c98d377c250edd470fd5e576327748d82915d6e33b5f8db1, sha224:d7910e1967342b4605cb73a550944044c631cd3514001900966962ac /bin/ls, sha256:hOtoe/iK6SlGg7w4BfZBBdSsXjUmTJ5+ts51yjh7vkM=, sha256:1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4= /bin/sh, sha512:srzYEQ2aqzm+it3f74opTMkIImZRLxBARVpb0g9RSouJYdLt7DTRMEY4Ry9NyaOiDoUIplpNjqYH0JMYPVdFnw /bin/kill
+
+User millert may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ sha224:d06a2617c98d377c250edd470fd5e576327748d82915d6e33b5f8db1, sha224:d7910e1967342b4605cb73a550944044c631cd3514001900966962ac /bin/ls
+ sha256:hOtoe/iK6SlGg7w4BfZBBdSsXjUmTJ5+ts51yjh7vkM=, sha256:1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4= /bin/sh
+ sha512:srzYEQ2aqzm+it3f74opTMkIImZRLxBARVpb0g9RSouJYdLt7DTRMEY4Ry9NyaOiDoUIplpNjqYH0JMYPVdFnw /bin/kill
+
+User operator may run the following commands on localhost:
+ (root) sha384:knMlCLkJ71K6uRrKo5C1CAvZ5kq+mRpjKDD/RofGosFjiGcYhiYYZORVyiRHgBnu, sha256:1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4= ALL
+
+User operator may run the following commands on localhost:
+
+Sudoers entry:
+ RunAsUsers: root
+ Commands:
+ sha384:knMlCLkJ71K6uRrKo5C1CAvZ5kq+mRpjKDD/RofGosFjiGcYhiYYZORVyiRHgBnu, sha256:1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4= ALL
+
+Executed regress/sudoers/test14.in
+Running: regress/sudoers/test15.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test15.in
+Running: regress/sudoers/test16.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test16.in
+Running: regress/sudoers/test17.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test17.in
+Running: regress/sudoers/test18.in
+sudoers:4:21: invalid timeout value
+user0 ALL = TIMEOUT=7dd4h10m30s /usr/bin/id, /usr/bin/who, TIMEOUT=0 /bin/ls
+ ^~~~~~~~~~~
+sudoers:5:21: invalid timeout value
+user1 ALL = TIMEOUT=7d4h10mm30s /usr/bin/id
+ ^~~~~~~~~~~
+sudoers:6:21: invalid timeout value
+user2 ALL = TIMEOUT=4hg10m30s /usr/bin/id
+ ^~~~~~~~~
+sudoers:7:21: invalid timeout value
+user3 ALL = TIMEOUT=10m30ss /usr/bin/id
+ ^~~~~~~
+sudoers:8:21: invalid timeout value
+user4 ALL = TIMEOUT=14g /usr/bin/id
+ ^~~
+Executed regress/sudoers/test18.in
+Running: regress/sudoers/test19.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test19.in
+Running: regress/sudoers/test20.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test20.in
+Running: regress/sudoers/test21.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test21.in
+Running: regress/sudoers/test22.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test22.in
+Running: regress/sudoers/test23.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test23.in
+Running: regress/sudoers/test24.in
+User root is not allowed to run sudo on localhost.
+
+User root is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User millert is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+User operator is not allowed to run sudo on localhost.
+
+Executed regress/sudoers/test24.in
+Running: regress/sudoers/test25.in
+sudoers:4:28: syntax error
+foo ALL = CWD=~ron /bin/ls \
+ ^~
+Executed regress/sudoers/test25.in
diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c b/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c
new file mode 100644
index 0000000..9f9b394
--- /dev/null
+++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2021 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <unistd.h>
+#if defined(HAVE_STDINT_H)
+# include <stdint.h>
+#elif defined(HAVE_INTTYPES_H)
+# include <inttypes.h>
+#endif
+
+#include <sudoers.h>
+
+static int fuzz_printf(int msg_type, const char * restrict fmt, ...);
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+
+/* Required to link with parser. */
+sudo_printf_t sudo_printf = fuzz_printf;
+
+FILE *
+open_sudoers(const char *file, char **outfile, bool doedit, bool *keepopen)
+{
+ /*
+ * If we allow the fuzzer to choose include paths it will
+ * include random files in the file system.
+ * This leads to bug reports that cannot be reproduced.
+ */
+ return NULL;
+}
+
+static int
+fuzz_printf(int msg_type, const char * restrict fmt, ...)
+{
+ return 0;
+}
+
+bool
+init_envtables(void)
+{
+ return true;
+}
+
+int
+set_cmnd_path(struct sudoers_context *ctx, const char *runchroot)
+{
+ /* Cannot return FOUND without also setting ctx->user.cmnd to a new value. */
+ return NOT_FOUND;
+}
+
+static FILE *
+open_data(const uint8_t *data, size_t size)
+{
+#ifdef HAVE_FMEMOPEN
+ /* Operate in-memory. */
+ return fmemopen((void *)data, size, "r");
+#else
+ char tempfile[] = "/tmp/ldif.XXXXXX";
+ size_t nwritten;
+ int fd;
+
+ /* Use (unlinked) temporary file. */
+ fd = mkstemp(tempfile);
+ if (fd == -1)
+ return NULL;
+ unlink(tempfile);
+ nwritten = write(fd, data, size);
+ if (nwritten != size) {
+ close(fd);
+ return NULL;
+ }
+ lseek(fd, 0, SEEK_SET);
+ return fdopen(fd, "r");
+#endif
+}
+
+static int
+fuzz_conversation(int num_msgs, const struct sudo_conv_message msgs[],
+ struct sudo_conv_reply replies[], struct sudo_conv_callback *callback)
+{
+ int n;
+
+ for (n = 0; n < num_msgs; n++) {
+ const struct sudo_conv_message *msg = &msgs[n];
+
+ switch (msg->msg_type & 0xff) {
+ case SUDO_CONV_PROMPT_ECHO_ON:
+ case SUDO_CONV_PROMPT_MASK:
+ case SUDO_CONV_PROMPT_ECHO_OFF:
+ /* input not supported */
+ return -1;
+ case SUDO_CONV_ERROR_MSG:
+ case SUDO_CONV_INFO_MSG:
+ /* no output for fuzzers */
+ break;
+ default:
+ return -1;
+ }
+ }
+ return 0;
+}
+
+int
+LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+ struct sudoers_context ctx = { { NULL } };
+ struct sudoers_parse_tree parse_tree;
+ FILE *fp;
+
+ /* Don't waste time fuzzing tiny inputs. */
+ if (size < 5)
+ return 0;
+
+ fp = open_data(data, size);
+ if (fp == NULL)
+ return 0;
+
+ initprogname("fuzz_sudoers_ldif");
+ sudoers_debug_register(getprogname(), NULL);
+ if (getenv("SUDO_FUZZ_VERBOSE") == NULL)
+ sudo_warn_set_conversation(fuzz_conversation);
+
+ /* Initialize defaults and parse LDIF-format sudoers. */
+ init_defaults();
+ init_parse_tree(&parse_tree, NULL, NULL, &ctx, NULL);
+ sudoers_parse_ldif(&parse_tree, fp, "ou=SUDOers,dc=sudo,dc=ws", true);
+
+ /* Cleanup. */
+ free_parse_tree(&parse_tree);
+ fclose(fp);
+ sudoers_debug_deregister();
+ fflush(stdout);
+
+ return 0;
+}
diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict b/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict
new file mode 100644
index 0000000..7c4d2d0
--- /dev/null
+++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.dict
@@ -0,0 +1,14 @@
+# Sudoers LDIF attributes
+
+"description"
+"objectClass"
+"organizationalRole"
+"sudoCommand"
+"sudoHost"
+"sudoOption"
+"sudoOption"
+"sudoOrder"
+"sudoRunAs"
+"sudoRunAsGroup"
+"sudoRunAsUser"
+"sudoUser"